How to spot a fake login page

A fake login page has one job: to look exactly like the real one for long enough to capture your password. Modern clones are good - copied logos, the right fonts, a working "forgot password" link. The page can be a flawless replica of your bank's sign-in screen and still be sitting on a domain a scammer registered last week.

This guide covers how cloned login pages work and how to catch them - including the ones that look perfect to the eye. If you've already entered your details on one, skip to what to do after clicking a phishing link.

How a cloned login page works

Cloning a sign-in page is trivial. A scammer saves the real page's HTML, images, and styling, then hosts the copy on their own server. To you it looks identical. The difference is where your password goes: instead of logging you in, the page quietly sends what you type straight to the scammer, then often forwards you to the real site so nothing seems wrong.

You usually arrive at one of these pages through a link - a phishing email, a fake bank text, a fake delivery text, or a sponsored search result. The message creates a reason to sign in urgently: a blocked account, a held parcel, a suspicious payment. Urgency is the point - it stops you checking the address bar.

The tells that give a fake away

Because the page itself is a copy of the real thing, the giveaways are mostly around it, not in it.

The domain doesn't match

This is the single most reliable check. A real login page lives on the company's real domain. A clone can't - the brand already owns the genuine address. Look for extra words, swapped characters, or odd endings: login-barclays.com, secure-paypal-account.net, microsoftonline-verify.com. If the brand name appears only as a subdomain (apple.com.account-verify.net), the real domain is the part at the end, not the brand. See how to spot a lookalike domain for the full breakdown.

You arrived from a link, not from typing the address

If you reached a sign-in screen by clicking a link in a message, treat it as suspect by default. Open a new tab and type the address yourself, or use your bookmark or the official app. Never sign in via a link you didn't expect.

It asks for too much

A real login asks for your username and password. Be very wary if a "login" page also asks for your full card number, PIN, security questions, or a one-time passcode all on the same screen. Banks don't collect all of that to let you in.

Small things are slightly off

Clones are often built from a snapshot of the real page, so details drift: an old logo, a missing cookie banner, a "forgot password" link that goes nowhere, last year's promotional banner. Nothing definitive on its own, but worth noticing.

The padlock proves nothing

A padlock and https:// only mean the connection is encrypted - scammers get certificates too. A fake login page can have a perfect padlock. It tells you the page is private, not that it's genuine.

Why some fakes look perfect - and how a deeper scan catches them

The hard cases are the clones with a clean domain history and no obvious tells, sometimes hosted on hijacked legitimate sites. Reading the page won't save you there. That's where checking the page itself, not just its address, matters.

When SniffTest can't settle a verdict from the address alone, it runs a deeper scan: it actually opens the page in a real browser, lets it fully load, and reads the rendered result - so a page that hides its true content from simple scanners, or only reveals the fake form after the page runs, has nowhere to hide. It compares what the page looks like against the brand it appears to imitate, checks the domain age and history, looks for password and card-entry forms on a domain that has no business collecting them, and flags when a site is wearing a well-known brand's appearance on an address that brand doesn't own.

Paste the link into SniffTest before you sign in anywhere. It runs 17 checks and returns a plain-English verdict in seconds - and for the borderline cases, the deeper scan looks at the real, rendered page so you don't have to gamble on a clone that looks flawless.

Check a login link on SniffTest →

What to do if you've already entered your password

Act quickly - speed limits the damage:

1. Change your password for that account immediately, from a device you trust, by typing the real address yourself.
2. If you reuse that password anywhere else, change it there too.
3. Turn on two-factor authentication if it isn't already on.
4. If it was a bank or payment account, call them on the number on the back of your card and tell them.
5. Watch the account for unfamiliar logins or transactions over the following days.

See what to do after clicking a phishing link for the full recovery steps.

Warning signs

• You reached the sign-in page from a link in an unexpected message
• The domain has extra words, swapped characters, or an unusual ending
• The page asks for more than a username and password - card number, PIN, full security details
• Small details look dated or slightly wrong
• There's pressure to sign in now or lose access

Signs you're probably fine

• You typed the address yourself or used your own bookmark or the official app
• The domain matches the brand exactly
• The page asks only for your normal login credentials
• The account behaves normally after you sign in, with no repeated requests

Frequently asked questions

Q: How can a fake login page look exactly like the real one?

A: Because it usually is the real page, copied. Scammers save the genuine page's code and images and host the copy on their own server. The appearance is identical; the only reliable difference is the domain in the address bar and where your password actually goes when you submit it.

Q: Does the padlock mean a login page is safe?

A: No. The padlock only means the connection is encrypted. Scammers can and do get certificates for their fake pages, so a padlock can sit on a perfect clone. Check the domain, not the padlock.

Q: How do I know if a sign-in page is genuine?

A: Check the domain matches the brand exactly, and make sure you reached the page by typing the address or using a bookmark rather than clicking a link. If you're unsure, paste the link into SniffTest before entering anything - its deeper scan opens and reads the real page to spot clones that look perfect.

Q: I entered my password on a fake page - what now?

A: Change that password immediately from a device you trust, and change it anywhere else you reused it. Turn on two-factor authentication, and if it was a bank or payment account, call them using the number on your card. The faster you act, the less a scammer can do.

Cloned login pages are the payload at the end of most phishing and smishing attacks. Learning to read a domain - see how to spot a lookalike domain - is the single most useful habit for catching them.